This is your weekly automated FAQ posting
SNORT FAQ
$Id: FAQ,v 1.14 2002/03/25 15:20:50 chrisgreen Exp $
Suggestions for enhancements of this document are
always welcome please email them to Dragos Ruiu at
dr at ...381...
The following people have contributed to this faq:
Marty Roesch
Fyodor Yarochkin
Dragos Ruiu
Jed Pickel
Max Vision
Michael Davis
Joe McAlerney
Joe Stewart
Erek Adams
Roman Danyliw
Christopher Cramer
Frank Knobbe
Phil Wood
Toby Kohlenberg
Ramin Alidousti
Jim Hankins
Dennis Hollingworth
Paul Howell
Stef Mit
Ofir Arkin
Jason Haar
Blake Frantz
Lars Norman Søndergaard
Brent Erickson
Brian Caswell
-----------------------------------------------------------------------------
Frequently Asked Questions about "snort"
Section 1: Snort Background
--------------------------
1.1 Q: How do you pronounce the names of some of these guys who work on snort?
1.2 Q: Is Fyodor Yarochkin the same Fyodor who wrote nmap?
1.3 Q: Where do I get more help on snort?
1.4 Q: Where can I get more reading and courses about IDS?
1.5 Q: Does Snort handle IP defragmentation?
1.6 Q: Does Snort perform TCP stream reassembly?
1.7 Q: Does Snort do stateful protocol analysis?
1.8 Q: I'm on a switched network, can I still use Snort?
1.9 Q: I've heard IDSes are vulnerable to noise generators like "Stick" and
"Snot". Is snort vulnerable?
1.10 Q: I've heard it is possible to use polymorphic mutators on shellcode?
1.11 Q: Does Snort log the full packets that it generates alerts?
Section 2: Getting Started
--------------------------
2.1 Q: How do I run snort?
2.2 Q: Where are my log files located? What are they named?
2.3 Q: Where's a good place to physically put a Snort sensor?
2.4 Q: Libpcap complains about permissions problems, what's going on?
2.5 Q: Why does snort complain about /var/log/snort?
2.6 Q: I've got RedHat and ....
2.7 Q: Where do I get the latest version of libpcap?
2.8 Q: Why does building snort complain about missing references?
2.9 Q: Why does building snort fail with errors about yylex and lex_init?
2.10 Q: I Want to build a snort box. Will this <Insert List> handle
<this much> traffic?
2.11 Q: What are CIDR netmasks?
2.12 Q: What is the use of the "-r" switch to read tcpdump files?
Section 3: Configuring Snort
----------------------------
3.1 Q: How do I setup snort on a 'stealth' interface?
3.2 Q: How do I run snort on an interface with no IP address?
3.3 Q: My network spans multiple subnets. How do I define HOME_NET?
3.4 Q: How can I run snort on multiple interfaces simultaneously?
3.5 Q: IP address is assigned dynamically to my interface, can I use snort
with it?
3.6 Q: I have one network card and two aliases, how can I force snort to
"listen" on both addresses ?
3.7 Q: How do I ignore traffic coming from a particular host or hosts?
3.8 Q: How do I get Snort to log the packet payload as well as the header?
3.9 Q: Why are there no subdirectories under /var/log/snort for IP addresses?
3.10 Q: How do you get snort to ignore some traffic?
3.11 Q: Why does the portscan plugin log "stealth" packets even though the
host is in the portscan-ignorehosts list?
3.12 Q: Which takes precedence, commandline or rule file ?
3.13 Q: How does rule ordering work?
3.14 Q: How do I configure stream4?
3.15 Q: Where does one obtain new/modifed rules? How do you merge them in?
3.16 Q: How do you get the latest snort via cvs?
Section 4: Snort Rules and Alerts
---------------------------------
4.1 Q: When I start snort I get errors from my rules files
4.2 Q: Snort says "Rule IP addr ("1.1.1.1") didn't x-late, WTF?"
4.3 Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully
quiet...
4.4 Q: I'm getting large amounts of some alerts type. What should I do? Where
can I go to find out more about it?
4.5 Q: What about all these false alarms?
4.6 Q: What are all these ICMP files in subdirectories under /var/log/snort?
4.7 Q: Why does the program generate alerts on packets that have pass rules?
4.8 Q: What are all these "ICMP destination unreachable" alerts?
4.9 Q: Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set?
4.10 Q: What are these IDS codes in the alert names?
4.11 Q: Snort says BACKDOOR SIGNATURE... does my machine have a Trojan?
4.12 Q: What about "CGI Null Byte attacks"?
4.13 Q: Why do certain alerts seem to have 'unknown' IPs in ACID?
4.14 Q: Can priorities be assigned to Alerts using ACID?
4.15 Q: What about 'SMB Name Wildcard' alerts?
4.16 Q: What the heck is a SYNFIN scan?
4.17 Q: I am getting too many "IIS Unicode attack detected" and/or "CGI Null
Byte attack detected" false positives. How can I turn this detection
off?
4.18 Q: How do I test snort alerts and logging?
Section 5: Getting Fancy
------------------------
5.1 Q: How do I process those snort logs into HTML reports?
5.2 Q: How do I log to multiple databases?
5.3 Q: How can I test snort without having an ethnernet card or a connection
to other computers?
5.4 Q: How to start snort as a win32 service?
5.5 Q: Is it possible with snort to add a ipfilter/ipfw rule to a firewall?
5.6 Q: Snort complains about the "react" keyword...
5.7 Q: How do I get snort to e-mail me alerts?
5.8 Q: How do I log a specific type of traffic and send alerts to syslog?
5.9 Q: Is it possible to have snort call an external program when an alert
is raised?
Section 6: Problems
-------------------
6.1 Q: I think I found a bug in snort. Now what?
6.2 Q: SMB alerts aren't working, what's wrong?
6.3 Q: Snort says "Garbage Packet with Null Pointer discarded!". Huh?
6.4 Q: Snort says "Ran Out Of Space". Huh?
6.5 Q: I'm having problems getting snort to log to a database...
6.6 Q: My ACID db connection times-out when performing long operations (e.g.
deleting a large number of alerts)
6.7 Q: Why does snort report "Packet loss statistics are unavailable under
Linux"?
6.8 Q: My /var/log/snort directory get very large...
6.9 Q: Why does the 'error deleting alert' message occur when attempting to
delete an alert with ACIO?
6.10 Q: ACID appears to be broken in Lynx
6.11 Q: I am getting 'snort [pid] uses obsolete (PF_INET, SOCK_PACKET)'
warnings, what's wrong.
6.12 Q: on HPUX I get device lan0 open: recv_ack: promisc_phys: Invalid
argument
6.13 Q: I am getting snort dying with 'can not create file' error and I have
plenty of diskspace, what's wrong?
6.14 Q: I am using Snort on Windows and receive an OpenPcap() error upon
startup:
6.15 Q: Snort is not logging to my database
6.16 Q: Portscans are not being logged to my database
6.17 Q: Snort is not logging to syslog
6.18 Q: I am still getting bombarded with spp_portscan messages even though
the IP that I am getting the portscan from is in my $DNS_SERVERs var
6.19 Q: Why chrooted snort die when I send it a SIGHUP?
6.20 Q: My snort crashes, how do I restart it?
6.21 Q: Why can't snort see one of either the 10Mbps or 100Mbps traffic on my
autoswitch hub
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
***************************************
Section 1: SNORT BACKGROUND
***************************************
1.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do you pronounce the names of some of these guys who work on snort?
A: For the record, 'Roesch' is pronounced like 'fresh' without the 'f'.
Additionally, 'Ruiu' is pronounced like 'screw you' without the 'sc'. And
Jed's last name is like "pick-el", not "pickle". :)
1.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Is Fyodor Yarochkin the same Fyodor who wrote nmap?
A: Nope. fyodor at ...306... is the author of nmap, and he uses the
same pseudonym as other snort Fyodor's real surname. Yeah, messes up
my mailbox too, but I think it's too late to change either of them :-).
1.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Where do I get more help on snort?
A: Check the website, http://www.snort.org. Other good resources are
are available in the source distribution, including the Snort Users
Manual (SnortUsersManual.pdf) and the USAGE file.
1.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Where can I get more reading and courses about IDS?
A: SANS, USENIX and Networld/Interop offer courses on Intrusion detection.
http://www.sans.orghttp://www.usenix.org/event/http://www.key3media.com/interop/
Many good books on Intrusion detection are available. Included is just
a few:
Network Intrusion Detection An Analyst's Handbook
By Stephen Northcutt
ISBN 0735708681
TCP/IP Illustrated, Volume 1 The Protocols
By W. Richard Stevens
ISBN 0201633469
Intrusion Detection
By Rebecca G. Bace
ISBN 1578701856
1.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Does Snort handle IP defragmentation?
A: Yes, use "preprocessor frag2" or "preprocessor defrag" or "preprocessor
defrag2"
Each has slightly different capabilities.
1.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Does Snort perform TCP stream reassembly?
A: Yes, check out the stream4 preprocessor that does stateful analysis
session loggin, tcp reassembly and much much more... Check the FAQ question
on configuring stream4.
1.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Does Snort perform stateful protocol analysis?
A: Yes, Check out SNORT FAQ #1.6
1.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I'm on a switched network, can I still use Snort?
A: Being able to sniff on a switched network depends on what type of
switch is being used. If the switch can mirror traffic, then set
the switch to mirror all traffic to the snort machine's port.
1.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I've heard IDSes are vulnerable to noise generators like "Stick" and
"Snot". Is snort vulnerable to these types of attacks?
A: It is now possible to defeat these kinds of noise generators with
the stream4 preprocessor. Even without the stream4 preprocessor
enabled, snort will weather the alert storm without falling over
or losing a lot of alerts due to its highly optimized nature.
Using tools that generate huge amounts of alerts will warn a good
analyist that someone is trying to sneak by their defenses.
1.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I've heard it is possible to use polymorphic mutators on shellcode?
A: Yes, and this could defeat some of the NOP sled detection signatures
but the ordinary exploit rules should not be affected by this kind
of obfuscation. The SPACE statistical anomaly detector may detect
some of these attacks. A number of other defenses are being worked
on and should be ready by 2.0.
1.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Does Snort log the full packets that it generates alerts?
A: Yes, the packets should be in the directory that has the same IP
address as the source host of the packet which generated the alert.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
***************************************
Section 2: GETTING STARTED
***************************************
2.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I run snort?
A: Run Snort in sniffer mode (snort -dvi eth0) and make sure it can see the
packets. Then run it with the HOME_NET set appropriately for the network
you're defending in your rules file. A default rules file comes with the
snort distribution and is called "snort.conf" You can run this basic ruleset
with the following command line:
snort -A full -c snort.conf
If it's all set right, once it's running do an "ifconfig -a" and make sure
the interface is in promiscuous mode (it'll say so in the options section of
the printout). If it's not, there should be a way to set it manually.
Note that the default output mode (-A full) of snort should not be
used except in very controlled environments. It is the slowest way
to run snort and presents several hard to recover from problems
with inode creation on filesystems.
For people doing real IDS work, use something like (-A fast -b) to
combine fast alert mode with tcpdump binary log files or use the
unified format coupled with barnyard.
2.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Where are my log files located? What are they named?
A: The default location for logs is /var/log/snort. If snort is started
with "-l <directory>", then the logs will be located in the directory
specified.
In the past, running Snort in daemon mode (-D) produced a file named
"snort.alert". For consistency sake, this has been changed. Running
Snort in both standard or daemon modes (-D) will produce a file named
"alert".
2.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Where's a good place to physically put a Snort sensor?
A: This is going to be heavily influenced by your organizations policy, and
what you want to detect. One way of looking at it is determining if you
want to place it inside or outside your firewall. Placing an IDS outside
of your firewall will allow you monitor all attacks directed at your
network, regardless of whether or not they are stopped at the firewall.
This almost certainly means that the IDS will pick up on more events
than an IDS inside the firewall, and hence more logs will be generated.
Place an IDS inside your firewall if you are only interested in monitoring
traffic that your firewall let pass. If resources permit, it may be best
to place one IDS outside and one IDS inside of your firewall. This way
you can watch for everything directed at your network, and anything that
made it's way in.
2.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Libpcap complains about permissions problems, what's going on?
A: You are not running snort as root or your kernel is not configured
correctly.
2.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does snort complain about /var/log/snort?
A: It requires this directory to log alerts to it.
Use: mkdir /var/log/snort
Make sure the logging directory is owned by the user snort is running
as.
2.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I've got RedHat and ....
A: Check your version of libpcap. :) If it's not >= 0.5, then you should
update.
2.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Where do I get the latest version of libpcap?
A: http://www.tcpdump.org/
2.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does building snort complain about missing references?
A: You must make libpcap with the --install-incl option or install the
libpcap-devel rpm.
2.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does building snort fail with errors about yylex and lex_init?
A: You need the lex and yacc tools or their gnu equivalents
flex and bison installed.
2.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I Want to build a snort box. Will this <Insert list of hardware> handle
<this much> traffic?
A: That depends. ;-) Lower the number of rules is a standard performance
increase. Disable rules that you don't need or care about. There have
been many discussions on 'tweaking performance' with lots of 'I handle
XX mb with a ___ machine setup.' being said. Look at some of the
discussions on snort-users
2.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What are CIDR netmasks?
A: (Excerpt from url: http://public.pacbell.net/dedicated/cidr.html)
CIDR is a new addressing scheme for the Internet which allows for more i
efficient allocation of IP addresses than the old Class A, B, and C address
scheme.
CIDR Block Prefix # Equivalent Class C # of Host Addresses
/27 1/8th of a Class C 32 hosts
/26 1/4th of a Class C 64 hosts
/25 1/2 of a Class C 128 hosts
/24 1 Class C 256 hosts
/23 2 Class C 512 hosts
/22 4 Class C 1,024 hosts
/21 8 Class C 2,048 hosts
/20 16 Class C 4,096 hosts
/19 32 Class C 8,192 hosts
/18 64 Class C 16,384 hosts
/17 128 Class C 32,768 hosts
/16 256 Class C 65,536 hosts (= 1 Class B)
/15 512 Class C 131,072 hosts
/14 1,024 Class C 262,144 hosts
/13 2,048 Class C 524,288 hosts
For more detailed technical information on CIDR, go to
http://www.rfc-editor.org/rfcsearch.html and type in the number of the
CIDR RFC you are interested in:
RFC 1517: Applicability Statement for the Implementation of CIDR
RFC 1518: An Architecture for IP Address Allocation with CIDR
RFC 1519: CIDR: An Address Assignment and Aggregation Strategy
RFC 1520: Exchanging Routing Information Across Provider Boundaries in the
CIDR Environment
2.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What is the use of the "-r" switch to read tcpdump files?
A: Used in conjunction with a snort rules file, the tcpdump data can be
analyzed for hostile content, port scans, or anything else Snort can be
used to detect. Snort can also display the packets in a decoded format,
which many people find is easier to read than native tcpdump output.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
***************************************
Section 3: CONFIGURING SNORT
***************************************
3.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I setup snort on a 'stealth' interface?
A: Bring up the interface without an IP address on it. See FAQ 3.2...
http://www.geocrawler.com/archives/3/4890/2000/9/0/4399696/
A: Use an ethernet tap, or build your own 'receive-only' ethernet cable.
http://personal.ie.cuhk.edu.hk/~msng0/sniffing_cable/index.htm
A: Anyway, here is the cable I use:
LAN Sniffer
1 -----\ /-- 1
2 ---\ | \-- 2
3 ---+-*------ 3
4 - | - 4
5 - | - 5
6 ---*-------- 6
7 - - 7
8 - - 8
Basically, 1 and 2 on the sniffer side are connected, 3 and 6
straight through to the LAN. 1 and 2 on the LAN side connect to 3 and
6 respectively. This fakes a link on both ends but only allows
traffic from the LAN to the sniffer. It also causes the 'incoming'
traffic to be sent back to the LAN, so this cable only works well on
a hub. You can use it on a switch but you will get ...err...
interesting results. Since the switch receives the packets back in on
the port it sent them out, the MAC table gets confused and after a
short while devices start to drop off the switch. Works like a charm
on a hub though.
3.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I run snort on an interface with no IP address?
A: ifconfig eth1 up
3.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: My network spans multiple subnets. How do I define HOME_NET?
A: Snort 1.7 supports IP lists. You can assign a number of addresses to
a single variable. For example:
var HOME_NET [10.1.1.0/24,192.168.1.0/24]
NOTE: Not all preprocessors support IP lists at this time. Unless
otherwise stated, assume that any preprocessor using an IP list variable
will use the first value as the HOME_NET. The portscan preprocessor
is an example. To catch all detectable portscans, pass 0.0.0.0/0 in
as the first parameter.
preprocessor portscan: 0.0.0.0/0 5 3 portscan.log
Use the portscan-ignorhosts preprocessor to fine tune and ignore
traffic from noisy, trusted machines.
3.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How can I run snort on multiple interfaces simultaneously.
A: If you aren't running snort on linux 2.1.x/2.2.x kernel (with LPF available)
the only way is to run multiple instances of snort, one instance per
interface (with the -i option specifying the interface). However for
linux 2.1.x/2.2.x and higher you can use libpcap library with S. Krahmer's
patch which allows you to specify 'any' as interface name. In this case
snort will be able to process traffic coming to all interfaces.
3.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: IP address is assigned dynamically to my interface, can I use snort with it?
A: Yes. With snort 1.7 and later, <interface>_ADDRESS variable is available.
The value of this variable will be always set to IP address/Netmask of the
interface which you run snort at. if interface goes down and up again (and
an IP address is reassigned) you will have to restart snort. For earlier
versions of snort numerous scripts to achieve the same result are
available.
3.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I have one network card and two aliases, how can I force snort to "listen"
on both addresses ?
A: If you're using at least version 1.7, you can specify an IP list like
this:
var HOME_NET [192.168.<your-IP>/24,<Internet address>/32]
If you're using something older (version 1.6.3-patch2 or whatever) you can
re-specify the HOME_NET variable multiple times like this (for example):
var HOME_NET 10.1.1.0/24
include scan-lib
etc.
var HOME_NET 192.168.1.0/24
include scan-lib
etc.
3.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I ignore traffic coming from a particular host or hosts?
A: Write pass rules and add the host(s) to the portscan-ignorehosts list.
Call Snort with the -o option to activate the pass rules.
See http://www.snort.org/docs/writing_rules/ for more information.
A: Use bpf on the commandline to ignore a host (for example):
$ snort <commandline options> not host 192.168.0.1
3.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I get Snort to log the packet payload as well as the header?
A: Use the "-d" command line option.
3.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why are there no subdirectories under /var/log/snort for IP addresses?
A: It depends on how your snort configuration logs. If it logs in binary
format, you'll have to process the binary log in order to get cleartext
3.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do you get snort to ignore some traffic?
A1: Specify bpf filters on the command line the tcpdump man page
has a description of bpf filters.
A2: Use a pass rule
A3: The portscan preprocessor has it's own special exclusion list
with the portscan-ignorehosts.rules file directive
3.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does the portscan plugin log "stealth" packets even though the
host is in the portscan-ignorehosts list?
A: These types of tcp packets are inherently suspicious, no matter where
they are coming from. The portscan detector was built with the assumption
that "stealth" packets should be reported, even from hosts which are not
monitored for portscanning. An option to ignore "stealth" packets may be
added in the future.
3.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Which takes precedence, commandline or rule file ?
A: The command line always gets precedence over the rules file. If people
want to try stuff out quickly without having to manually edit the rules
file, they should be able to override many things from the command
line.
3.13 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How does rule ordering work?
A: Marty has answered this many times on the snort-users mailing list. Here is
an excerpt from a post on Thu, 22 Feb 2001 00:31:53 -0500, titled "Re:
[Snort-users] order of evaluation of rules"
Currently, the data structures that store Snort rule data are the
RuleTreeNodes (RTN) and the OptTreeNodes (OTN). These data structs are
stored in a two dimensinal linked list structure with the RTNs forming
the top row of the "Array" and the OTNs forming the columns under the
RTNs. Here's an ASCII illustration from the infamous "lisapaper":
RTN RTN RTN
-------------- -------------- -----
| Chain Header | | Chain Header | | Chai
| | | | |
| Src IP | | Src IP | | Src
| Dst IP |----->| Dst IP |----->| Dst .....
| Src Port | | Src Port | | Src
| Dst Port | | Dst Port | | Dst
| | | | |
-------------- -------------- -----
| |
| |
| |
OTN \|/ OTN \|/
-------V------ --------V-------
| Chain Option | | Chain Option |
| | | : |
| Content | :
| TCP Flags | :
| ICMP Data |
| Payload Size |
| etc. |
| |
---------------
|
|
|
OTN \|/
-------V------
| Chain Option |
| |
| Content |
| TCP Flags |
| ICMP data |
| Payload Size |
| etc. |
| |
--------------
|
|
Rules with similar rule headers (i.e. all the CGI rules, the old stealth
port scan detection rules, most of the rules that focus on any single
service, etc) are grouped under a single RTN for the sake of efficiency
and the applicable OTNs are hung below them. For instance, if you have
three rules like this:
alert tcp any any -> $HOME 80 (content: "foo"; msg: "foo";)
alert tcp any any -> $HOME 80 (content: "bar"; msg: "bar";)
alert tcp any any -> $HOME 80 (content: "baz"; msg: "baz";)
They all get grouped under the same RTN and the OTNs are "hung" beneath
them like this:
RTN
--------------------
| SIP: any |
| SP: any |
| DIP: $HOME |
| DP: 80 |
--------------------
|
|
OTN \|/
---------v----------
| content: foo |
| msg: foo |
---------------------
|
|
OTN \|/
---------v----------
| content: bar |
| msg: bar |
---------------------
|
|
OTN \|/
---------v----------
| content: baz |
| msg: baz |
---------------------
This is an efficient way to do things because we only need to check the
data in the RTN once with this method. There is actually another
dimension to this array: the function pointer list. Each node in the
"array" has a linked list of function pointers attached to it. The
functions in this list are the tests that need to be done to determine
whether the data in the current packet matches the current rule node's
information. Having this function pointer list gives us great
efficiency and flexibility: we don't need to perform tests for things
the current rule doesn't contain (e.g. "any" ports/IPs, packet content
on non-content rules, etc). It also allows us to analyze the packet
with any function without having to make major modifications to the
whole program (which was the case in versions prior to version 1.5).
There are a couple of implications of this architecture. For the sake
of this discussion on rules ordering, the one we're interested in is
that rule order is tricky to figure out. For instance
alert tcp any any -> $HOME 80 (content: "foo"; msg: "foo";)
alert tcp any any -> $HOME 1:1024 (flags: S; msg: "example";)
alert tcp any any -> $HOME 80 (flags: S; msg: "Port 80 SYN!";)
alert tcp any any -> $HOME 80 (content: "baz"; msg: "baz";)
gets built like this:
RTN RTN
-------------------- --------------------
| SIP: any | | SIP: any |
| SP: any |-------->| SP: any |
| DIP: $HOME | | DIP: $HOME |
| DP: 80 | | DP: 1-1024 |
-------------------- --------------------
| |
| |
OTN \|/ \|/
---------v---------- ---------v----------
| content: foo | | flags: S |
| msg: foo | | msg: example |
-------------------- --------------------
|
|
OTN \|/
---------v----------
| flags: S |
| msg: Port 80 SYN! |
--------------------
|
|
OTN \|/
---------v----------
| content: baz |
| msg: baz |
--------------------
Note that all three of the port 80 rules will be checked before the
"1:1024" rule due to the order in which the applicable RTN has been
created. This is because the rules parser builds the first chain header
for port 80 traffic and sticks it on the rules list, then on the next
rule it sees that a new chain header is required, so it gets built and
put in place. In this case you would intuitively expect to get the
"example" message and never see the "Port 80 SYN!", but the opposite is
true.
3.14 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I configure stream4?
A: Stream4 is an entirely new preprocessor that preforms two functions:
1) Stateful inspection of TCP sessions
2) TCP stream reassembly
I implemented stream4 out of the desire to have more robust stream
reassembly capabilities and the desire to defeat the latest "stateless
attacks" that have been coming out against Snort (c.f. stick and snot).
Stream4 is written with the intent to let Snort be able to handle
performing stream reassembly for "enterprise class" users, people who
need to track and reassemble more than 256 streams simultaneously. I've
optimized the code fairly extensively to be robust, stable, and fast.
The testing and calculations I've performed lead me to be fairly
confident that stream4 can provide full stream reassembly for several
thousand simultaneous connections and stateful inspection for upwards of
64,000 simultaneous sessions.
Stream4 is a large and complex piece of code (almost 2000 lines) and
there are a lot of options associated with its runtime configuration, so
I'll go over them here.
preprocessor stream4: [noinspect], [keepstats], [timeout <seconds>],
[memcap <btream4_reassemble defaults:
Reassemble client: ACTIVE
Reassemble server: INACTIVE
Reassemble ports: 21 23 25 53 80 143 110 111 513
Reassembly alerts: ACTIVE
There is a new command line switch that is used in concert with the
stream4 code, "-z". The -z switch can take one of two arguments: "est"
and "all". The "all" argument is the default if you don't specify
anything and tells Snort to alert normally. If the -z switch is
specified with the "est" argument, Snort will only alert (for TCP
traffic) on streams that have been established via a three way handshake
or streams where cooperative bidirectional activity has been observed
(i.e. where some traffic went one way and something other than a RST or
FIN was seen going back to the originator). With "-z est" turned on,
Snort completely ignores TCP-based stick/snot "attacks".
3.15 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Where does one obtain new/modifed rules? How do you merge them in?
A: New rules can be downloaded via CVS (See 3.16) or alternatively may be
found at www.snort.org. There is a mailing list dedicated to snort rules,
called snort-sigs hosted at sourceforge.
To merge in new rules check out the snortpp program in the snort/contrib
directory in the snort source archive.
3.16 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do you get the latest snort via cvs?
A: The Snort project's SourceForge CVS repository can be checked out
through anonymous (pserver) CVS with the following instruction set.
The module you wish to check out must be specified as the modulename.r
When prompted for a password for anonymous, simply press the Enter key.
cvs -d:pserver:anonymous at cvs.snort.sourceforge.net:/cvsroot/snort login
cvs -z3 -d:pserver:anonymous at cvs.snort.sourceforge.net:/cvsroot/snort co snort
Updates from within the module's directory do not need the -d parameter.
***************************************
Section 4: RULES AND ALERTS
***************************************
4.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: When I start snort I get errors from my rules files:
Some common ones:
ERROR somefile.rules:yy => Port value missing in rule!
ERROR somefile.rules:yy => Bad port number: "(msg:"blah"
ERROR somefile.rules:yy => Couldn't resolve hostname blah
What's going on?
A: somefile.rules is the file where the syntax error occurred, and yy is the
line number it occurred on. There are a couple of possibilities:
a) The rule is missing a port value, has an invalid port number, or a
bad hostname - in which case the ruleset author/maintainer should be
notified.
b) More often, the rule is just fine, but a variable in it was not
declared. Open the rules file, look at the rule on the line number
provided, and confirm that the variables it uses have been declared.
You can read more about variables from
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.1.2
4.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Snort says "Rule IP addr ("1.1.1.1") didn't x-late, WTF?"
A: Chuckle... Get rid of the quotes around the IP address and try again. :-)
4.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Snort is behind a firewall (ipf/pf/ipchains/ipfilter) and awfully quiet...
A: Your firewall rules will also block traffic to the snort processes.
4.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I'm getting large amounts of <some alerts type>. What should I do? Where
can I go to find out more about it?
A: Some rules are more prone to producing false positives than others.
This often varies between networks. You first need to determine if it
is indeed a false positive. Some rules are referenced with ID numbers.
The following are some common identification systems, and where to go
to find more information about a particular alert.
System Example URL
---------------------------------------------------------------
IDS IDS182 http://www.whitehats.com/IDS/182
CVE CVE-2000-0138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0138
Bugtraq BugtraqID 1 http://www.securityfocus.com/vdb/bottom.html?vid=1
McAfee Mcafee 10225 http://vil.nai.com/vil/dispVirus.asp?virus_k=10225
It may be necessary to examine the packet payload to determine if the
alert is a false positive. The packet payload is logged using the -d
option. If you determine the alerts are false positives, you may want
to write pass rules for machines that are producing a large number of them.
If the rule is producing an unmanageable amount of false positives from
a number of different machines, you could pass on the rule for all traffic.
This should be used as a last resort.
4.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What about all these false alarms?
A: Most think that a pile of false positives is infinitely preferable. Then
people can turn off what they don't want. The reverse, having a small rule
set, can lure people into complacency thinking that Snort is doing "its
thing" and there is nothing to worry about.
4.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What are all these ICMP files in subdirectories under /var/log/snort?
A: Most of them are likely destination unreachable and port unreachables that
were detected by snort when a communications session attempt fails.
4.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does the program generate alerts on packets that have pass rules?
A: The default order that the rules are applied in is alerts first, then pass
rules, then log rules. This ordering ensures that you don't write 50 great
alert rules and then disable them all accidently with an errant pass rule.
If you really want to change this order so that the pass rules are applied
first, use the "-o" command line switch.
4.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What are all these "ICMP destination unreachable" alerts?
A: ICMP is the acronym for Internet Control Message Protocol
They are failed connections ICMP unreach packet carries first 64
bits(8bytes) or more of the original datagrami and the original IP header.
The ICMP Destination Unreachable (message type 3) is sent back to the
originator when an IP packet could not be delivered to the destination
address. The ICMP Code indicates why the packet could not be delivered.
The original codes are:
0 net unreachable
1 host unreachable
2 protocol unreachable
3 port unreachable
4 fragmentation needed and DF bit set
5 source route failed
As far as why... "it all depends..."
ICMP Unreachable Error Messages are divided into two groups:
- ICMP Unreachable Error Messages issued by routers (all 16 of them)
- ICMP Unreachable Error Messages issued by a Host (only 2)
What are the only 2 issued by a host?
ICMP Port Unreachable - the destination port on the targeted host is
closed (a.k.a. not in a listening state).
ICMP Protocol Unreachable - the protocol we were trying to use is not
being used on the targeted host.
Both ICMP Type field and Code field indicates why the packets could
not be delivered. Some snort ICMP alerts" are informational like the ICMP
alerts found in icmp-info.rules. At this time there are no references
or even classtypes associated with these rules.
Other rules are more likely to be associated with untoward activity. For
example, in icmp.rules you will find:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger";
content:"|495353504e475251|";itype:8;depth:32; reference:arachnids,158;
classtype:attempted-recon; sid:465; rev:1;)
which has a reference where the importance might be determined by checking
out the aracnids reference. The classtype may indicate more or
less the relative importance of the event.
When a destination UDP port is closed on the targeted host, a.k.a. not
in a listening state, the targeted host will issue an ICMP Port Unreachable
error message back to the offending packets source IP address, given in
the query. Some programs use these messages, like traceroute with *nix
based machines. Windows based machines (tracert) will default to
ICMP Echo requests...
For further information about this see
IP ftp://ftp.isi.edu/in-notes/rfc791.txt
ICMP ftp://ftp.isi.edu/in-notes/rfc792.txt
TCP ftp://ftp.isi.edu/in-notes/rfc793.txt
UDP ftp://ftp.isi.edu/in-notes/rfc768.txt
and
http://www.iana.org/assignments/icmp-parameters
Actually, putting this URL somewhere handy is a good idea:
http://www.iana.org/
There is also a good ICMP paper on http://www.sys-security.com/
4.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set?
A: One of the reasons it alerts on a PA flags is to minimize the false
positive. You will only get an alert upon successful connections. If you
want to see all the attempts, you either have to modify the signatures, add
you own signatures or use your firewall logs to see if an attempt to
specific a port occurred.
4.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What are these IDS codes in the alert names?
A: IDS means "Intrusion Detection Signature" and identifies a
known attack attempt. You can learn more about a specific IDS id
at the arachNIDS search engine on http://www.whitehats.com/.
The "references" keyword in rules can also be a good pointer
for further research.
4.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Snort says BACKDOOR SIGNATURE... does my machine have a Trojan?
A: If you are dumping the data part of the packet, review it.
These rules are known to have high false rates as most of them
are just based on numeric port numbers.
4.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What about "CGI Null Byte attacks"?
A: It's a part of the http preprocessor. Basically, if the http decoding
routine finds a %00 in an http request, it will alert with this message.
Sometimes you may see false positives with sites that use cookies with
urlencoded binary data, or if you're scanning port 443 and picking up
SSLencrypted traffic . If you're logging alerted packets you can check
the actual string that caused the alert. Also, the unicode alert is
subject to the same false positives with cookies and SSL. Having the packet
dumps is the only way to tell for sure if you have a real attack on your
hands, but this is true for any content-based alert.
4.13 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why do certain alerts seem to have 'unknown' IPs in ACID?
A: The Snort database plug-in only logs packet information into the database
when an alert is triggered by a rule (signature). Therefore, since alerts
generated by pre-preprocessors such as portscan and mini-fragment have no
corresponding rules, no packet information is logged beyond an entry
indicating their occurance. As a consequence, ACID cannot display any
packet-level (e.g. IP address) information for these alerts.
For these particular alerts, certain statistics may show zero unique IP
addresses, list the IP address as 'unknown', and will not list any packet
information when decoding the alert.
4.14 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Can priorities be assigned to Alerts using ACID?
A: The quick answer to this question is no. ACID is at the mercy of the
underlying database, since Snort doesn't assign priorities, ACID does not
have priorities. Nevertheless, there are several work-arounds:
It is possible to enforce priorities of sort at the database level by
writing alerts of different severity to separate databases. For example,
critical alerts such as buffer overflows can be written to one database,
while scan alerts can be written to another. Then load two different versions
of ACID, each pointing to a different instance of the database.
With manual intervention Alert Groups (AG) can be used to assign priority.
Essentially, this strategy entails creating an AG for each severity level and
manually moving the alerts as they arrive into the appropriate group.
4.15 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What about 'SMB Name Wildcard' alerts?
A: Whitehats IDS177
http://dev.whitehats.com/cgi/test/new.pl/Show?_id=netbios-name-query
specifies traffic coming from *outside* of your local network. Allowing
netbios traffic over public networks is usually very insecure.
If the rule you are using also refers to ingres traffic only, then it
would explain why you don't see a lot of false positives. For anyone
reading that does see a lot of false postiives - if you change your rule
to reflect the source address as being !$HOME (or whatever variable you
use to represent your internal network), then you should see most of the
false positives go away.
The value of this chack is that a default administrative share C$ ADMIN$ or
some such has been accessed. This shouldn't happen in normal use - when
people want to share files they should be implicitely defining the shares
and ACL.
4.16 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: What the heck is a SYNFIN scan?
A: SYNFIN scans got their name because there are both the
SYN and FIN flags set.
4.17 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I am getting too many "IIS Unicode attack detected" and/or "CGI Null Byte
attack detected" false positives. How can I turn this detection off?
A: These messages are produced by the http_decode preprocessor. If you wish
to turn these checks off, add -unicode or -cginull to your http_decode
preprocessor line respectively.
preprocessor http_decode: 80 8080 -unicode -cginull
Your own internal users normal surfing can trigger these alerts in the
preprocessor. Netscape in particular has been known to trigger them.
Instead of disabling them,try a BPF filter to ignore your outbound http
traffic such as:
snort -d -A fast -c snort.conf not (src net xxx.xxx and dst port 80)
This has worked very well for us over a period of 5-6 months and Snort is
still very able to decode actual and dangerous cgi null and unicode attacks
on our public web servers.
4.18 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I test snort alerts and logging?
A: Try a rule that will fire off all the time like:
alert tcp any any -> any any (msg:"TCP traffic";)
Also take a look at sneeze at http://snort.sourceforge.net/sneeze-1.0.tar
Sneeze is a false positive generator that reads snort signatures and generates
packets that will trigger the rules.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
***************************************
Section 5: GETTING FANCY
***************************************
5.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I process those snort logs into HTML reports?
A1: One popular solution is SnortSnarf, a tool for producing HTML
out of snort alerts for navigating through these alerts
(and doing a whole lot more).
http://www.silicondefense.com/snortsnarf/
A2: If you want to set up logging to a database you could try ACID
Some documentation describing the current ACID functionality:
http://www.cert.org/kb/acid/
5.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I log to multiple databases?
A: You can build redundancy by using multiple output plugins. Here are
some examples.
Multiple instantiations of the database plugin:
output log_database: mysql, dbname=snort host=localhost user=xyz
output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz
Remote database and local tcpdump:
output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz
output log_tcpdump: /var/log/snort.tcpdump
Then you can replay the tcpdump file through snort to recreate the
database.
5.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How can I test snort without having an ethernet card or a connection to
other computers?
A: You have to use routing between two dummy devices:
modprobe -a dummy (The dummy device has to be build by the kernel)
ifconfig dummy0 192.168.0.1
ifconfig dummy0:0 192.168.0.2
telnet 192.168.0.3 12345
It's important that the second IP is on the same interface and not e.g.
dummy1 or dummy2 and that the IP you try to access is *not* one of those you
put on the interfaces. Use snort's ability to hear in promiscious mode on an
IP address range. (HOMEDIR=192.168.0.0/16)
5.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How to start snort as a win32 service?
A: Service support has been added to snort-1.6.3-patch2
You can download the binary from:
http://www.datanerds.net/~mike/dev/snort-1.6.3-patch2-service.zip
Right now there is only a binary available.
Snort Service FAQ:
1) Use must use complete paths for everything. This means EVERYTHING.
Command line, configuration files, everything. Examples:
All include statements must be full paths. I.E. 'include scan-lib'
is WRONG. 'include C:\snort\scan-lib' is CORRECT.
All Command line options must be full paths. I.E. 'snort.exe -l
./log' is WRONG. 'snort.exe -l C:\snort\log' is CORRECT.
2) YOU MUST ALWAYS HAVE A LOGGING DIRECTORY SET VIA THE COMMAND
LINE(-l switch). If you do not set a logging directory the service
will not start and, on NT/Win2k, your bootup will hang for about 4
minutes.
3) How to install the snort service.
Run snort like you would via command line but add a '-I'. I.E.
'snort.exe -c snort.conf -l ./log -h 192.168.1.0/24 -s' turns into
'snort.exe -c C:\snort\snort.conf -l C:\snort\log -h 192.168.1.0/24 -s
-I'
YOU MUST USE COMPLETE PATHS FOR ALL FILES/DIRECTORIES.
NOTE: You do NOT need to add the -D option to the command line when
you install the service. If -D is not there it will automatically be
added.
4) How to remove the snort service.
Run 'snort -R'.
5) Does the Service run on 9x/ME.
Yes. It uses a horrible hack to get it to work. Because of this when
you boot up you will see a black command prompt window for about 5
seconds before snort goes to the background. This service mode is
considered a horrible hack and probably will not work in every
situation.
6) What functions are support by the NT service.
Start and Stop currently. Pause and Resume will be implemented later
(Code already exists but not working properly).
Any questions, comments, flames please email mike at ...92...
5.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Is it possible with snort to add a ipfilter/ipfw rule to a firewall?
A: Yes, with additional software in the contrib directory. But this
can be dangerous and is not recommended unless you know what you're
doing.
Guardian is available and is part of the contrib directory in
the tarball distribution.
Guardian is a perl script which uses snort to detect attacks,
and then uses IPchains to deny any further attacks.
The Guardian webpage can be found at:
http://www.chaotic.org/~astevens/Guardian/index.html
or you can use the mirror,
http://www.cyberwizards.com/~midnite/Guardian/index.html
But one caveat... running external binaries can also be a performance
limiter and your should read the caution below...
Christopher Cramer wrote:
>
> I'm sure this has been mentioned before in similar discussions, but this
> feels like a _really_ bad idea. What if the bad guys realize what is
> going on and make use of your blocking method as a DoS attack. All one
> would have to do start sending a series of triggering packets with spoofed
> IP addresses.
>
> Since I am no longer interested in breaking into your site, but rather
> making your life hell, I don't worry about the resulting data getting back
> to me. All I have to do is start proceeding up a list of IP addresses
> that I think you should no longer be able to talk to. When you come in
> the next morning, you find that you can no longer access the world.
>
> Just my $0.02.
>
Danger Will Robinson: Conventional wisdom says that
auto-blocking is inherently dangerous.
However, for those that like to live at the
bleeding edge of tech (and the separate
process scanning logs and processing
firewall commands sounds like a good
way to do this...):
Please remember to include an exclusion list and put
on them important sites such as root servers, other
important dns servers (yours, and important sites for
your users), and in general any host you don't want
to receive phone calls about being DoSed when
they are spoofed - usually inconveniently like that
first time you actually manage to get on vacation....
(i.e. imagine "Crisis: the ceo can't reach his favorite
redlite.org game.... you have to fly back from the
carribean asap....")
5.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Snort complains about the "react" keyword...
A: Rerun configure with the --enable-flexresp option and rebuild/reinstall.
5.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I get snort to e-mail me alerts?
A: Log to syslog and use swatch or logcheck.
5.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I log a specific type of traffic and send alerts to syslog?
A: An example addition to snort.conf:
ruletype redalert
{
type alert
output alert_syslog: LOG_LOCAL2
output database: alert, postgresql, user=user dbname=snort password=pwd
}
[...snip...]
Go into your local.rules and make sure you have something like:
redalert tcp any any -> any any (msg:"REDRUM REDRUM"; content:"redalerttest")
Then just do a telnet and type 'redalerttest'. Presto, alerts to both.
5.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Is it possible to have snort call an external program when an alert is
raised?
Calling another program from within your main IDS loop is
generally a bad idea. Having your IDS block while waiting
for <something> of dubious reliability and origin nevermind
timing while the packets are piling up is inviting packet loss.
Especially with the already oh-so-consistent "Gee I think
I'll go away for a minute" rock steady even cpu slicing
Windows gives you (that's sarcasm, sorry). Go with the
second approach.... process invokation is expensive on
Windows.
You want to keep that IDS task humming and munching
packets as efficiently as possible with as few interruptions
as possible, imho, and not be invoking the penalty of
process invocation.... particularly on Windows where
process invocation is much much heavier task than *nix.
Even in a secondary process... You'll probably find
something that stays "awake" all the time will work out
much more nicely than something that gets "woken up"
on a per alert basis for the aforementioned reasons.
As a better alternative go check out swatch or logwatch.
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
***************************************
Section 6: PROBLEMS
***************************************
6.1 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I think I found a bug in snort. Now what?
A: get some more diagnostic information and post it to "snort-users" at
http://www.sourceforge.net
To get diagnostic information compile snort as either:
make clean; make CFLAGS=-ggdb
or
make clean; make "CFLAGS=-ggdb -DDEBUG"
trace coredump as:
gdb /path/to/snort /path/to/snort/core
gdb> where
gdb> bt
gdb> print $varname, varname, $$varname etc..
or if corefile isn't generated snort should be started as
gdb snort
gdb> run <snort args without -D switch :-)>
6.2 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: SMB alerts aren't working, what's wrong?
A: Make sure you include "--enable-smbalerts" when you run "./configure".
6.3 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Snort says "Garbage Packet with Null Pointer discarded!". Huh?
A: This was an internal diagnostic message triggered by an old bug
in early versions of the defragmentation preprocessor. Upgrade to
to the latest version of snort.
6.4 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Snort says "Ran Out Of Space". Huh?
A: This is an internal diagnostic message when the defragmentation
preprocessor runs into its ~32MB hard allocation space limit.
Tell Dragos about it <dr at ...381...>.
6.5 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I'm having problems getting snort to log to a database...
A: There were some issues with snort 1.6.3 writes
Lee wrote..
> > Initializing rule chains...
> > log_database: Database type is mysql
> > log_database: Database name is snort
> > log_database: Host set to localhost
> > log_database: User set to root
> > Problem obtaining SENSOR ID (sid) from mysql->snort->event
In version 1.6.3, it turns out that many people have seen this error
because they did not compile in support for their database. It should
be fixed in snort 1.7
A quick and easy "fix" for older snort versions is to add -lm to
either LIBS or LDFLAGS in the Makefile. e.g.
LIBS = -lm -lmysqlclient -lpcap -lsocket -lnsl
Anyway, if you are still having this problem you can take a look at
the updated the installation and configuration information at the
following web site.
http://www.incident.org/snortdb
6.6 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: My ACID db connection times-out when performing long operations (e.g.
deleting a large number of alerts)
A: PHP has an internal variable set to limit the length an script can
execute. It is used to prevent poorly written code from executing
indefinitely. In order to modify the time-out value, examine the
'max_execution_time' variable found in the 'php.ini' configuration file.
6.7 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does snort report "Packet loss statistics are unavailable under Linux"?
A: The Linux IP stack doesn't report lost packet stats. This also has been
recently fixed with the 2.4 kernel in the new version of libpcap...
upgrade kernels and libpcap and it should now work.
6.8 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: My /var/log/snort directory get very large.....
A: Try this script to archive the files.
#!/bin/sh
#
# Logfile roation script for snort writen by jameso at ...557...
#
# This script is pretty basic. We start out by setting some vars.
# Its job is tho rotate the days logfiles, e-mail you with what
# it logged, keep one weeks worth of uncompressed logs, and also
# keep compressed tgz files of all the logs. It is made to be run
# at midnight everynight. This script expects you to have a base
# dir that you keep all of your logs, rule sets etc in. You can
# see what sub dirs it expects from looking at the var settings
# below.
#
# Things to note in this script is that we run this script at 12
# every night, so we want to set the dirdate var the day the script
# runs minus a day so we label the files with the correct day. We
# Then create a dir for the days logs, move the log files into
# todays dir. As soon as that is done restart snort so we don't miss
# anything. Then delete any logs that are uncompressed and over a
# week old. Then compress out todays logs and archive them away, and
# end up by mailling out the logs to you.
#
# Define where you have the base of your snort install
snortbase=/usr/snort
# Define other vars
# logdir - Where the logs are kept
# oldlogs - Where you want the archived .tgz logs kept
# weeklogs - This is where you want to keep a weeks worth of log files uncompressed
# dirdate - Todays Date in Month - Day - Year format
# olddirdate - Todays date in the same format as dirdate, minus a week
logdir=$snortbase/log
oldlogs=$snortbase/oldlogs
weeklogs=$snortbase/weeklogs
# When I first wrote this script, I only ran it on BSD systems. That was a
# mistake, as BSD systems have a date command that apperently lets you walk the
# date back pretty easily. Well, some systems don't have this feature, so I had
# to change the way that dates are done in here. I left in the old way, because
# it is cleaner, and I added in a new way that should be portable. If anyone
# has any problems, just let me know and I will try to fix it.
#
# You have to change the system var to either bsd or other. Set it to bsd if
# your system supports the "-v" flag. If you are not sure, set it to other.
system=bsd
if [ $system = bsd ]
then
dirdate=`date -v -1d "+%m-%d-%y"`
olddirdate=`date -v -8d "+%m-%d-%y"`
elif [ $system = other ]
month=`date "+%m"`
yesterday=`expr \`date "+%d"\` - 1`
eightday=`expr \`date "+%d"\` - 8`
year=`date "+%y"`
dirdate=$month-$yesterday-$year
olddirdate=$month-$eightday-$year
fi
# Create the Dir for todays logs.
if [ ! -d $weeklogs/$dirdate ]
then
mkdir $weeklogs/$dirdate
fi
# Move the log files into todays log dir. This is done with
# a for loop right now, because I am afriad that if alot is
# logged there may be to many items to move with a "mv *"
# type command. There may a better way to do this, but I don't
# know it yet.
for logitem in `ls $logdir` ; do
mv $logdir/$logitem $weeklogs/$dirdate
done
# Kill and restart snort now that the log files are moved.
kill `cat /var/run/snort_fxp0.pid`
# Restart snort in the correct way for you
/usr/local/bin/snort -i fxp0 -d -D -h homeiprange/28 -l /usr/snort/log \
-c /usr/snort/etc/08292k.rules > /dev/null 2>&1
# Delete any uncompressed log files that over a week old.
if [ -d $weeklogs/$olddirdate ]
then
rm -r $weeklogs/$olddirdate
fi
# Compress and save the log files to save for as long as you want.
# This is done in a sub-shell because we change dirs, and I don't want
# to do that within the shell that the script runs in.
(cd $weeklogs; tar zcvf $oldlogs/$dirdate.tgz $dirdate > /dev/null 2>&1)
# Mail out the log files for today.
cat $weeklogs/$dirdate/snort.alert | mail -s "Snort logs" you at ...558...
cat $weeklogs/$dirdate/snort_portscan.log | mail -s "Snort portscan logs" you at ...558...
6.9 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why does the 'error deleting alert' message occur when attempting to delete
an alert with ACIO?
A: Most likely the DB user configure in ACID does not have sufficient
privileges. In addition to those privileges granted to log the alerts into
the database (INSERT, SELECT), DELETE is also required.
This permission related issue can be confirmed by manually inserting a row
into the database, then trying to delete it.
1. login to MySQL with the same credentials (i.e. username, password) as you
use in ACID.
e.g. % mysql -u -p
2. insert a test row into the event table
mysql> INSERT INTO event (sid, cid, signature, timestamp) VALUES (1,1000000, "test", "0");
(this assumes that you don't already have a row with an event ID=1000000. If
you do just choose another event id #)
3. now delete this newly inserted row
mysql> DELETE FROM event WHERE sid=1 AND cid=10000000;
If you where not able to delete, this confirms that this is a permission
problem. Re-login to mysql as root, and issue a GRANT command (giving the
DELETE permission) to the ACID DB user.
e.g. GRANT DELETE on snort.* to acid at ...274...
(this assumes that my alert database is 'snort', username is 'acid', and
logging from the 'localhost')
6.10 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: ACID appears to be broken in Lynx
A: This is a known issue. Lynx mangles some of the form arguments appended to
the URL. It's resolution is being investigated, but use Netscape, Opera, or
IE in the mean time.
6.11 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I am getting 'snort [pid] uses obsolete (PF_INET, SOCK_PACKET)' warnings, what's wrong.
A: You use older libpcap version with recent linux kernel. There should be
no problem with it as long as your kernel supports SOCK_PACKET socket
type. To get rid off the warning message however, you'll have to upgrade
to some recent version of libpcap. (a copy from www.tcpdump.org is
recommended).
6.12 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: on HPUX I get device lan0 open: recv_ack: promisc_phys: Invalid argument
A: It's because there's another program running using the DLPI service.
The HP-UX implementation doesn't allow more than one libpcap program
at a time to run, unlike Linux. (from snort.c)
6.13 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I am getting snort dying with 'can not create file' error and I have
plenty of diskspace, what's wrong?
A: You may run out of free inodes, which basically also means you can not
create more files on the partition. The obvious solution is to rm some ;-)
6.14 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I am using Snort on Windows and receive an OpenPcap() error upon startup:
ERROR: OpenPcap() device open:
Error opening adapter
What's wrong?
A: Either winpcap is not installed, or you are using an incompatible version.
Try upgrading to the latest version (2.1 as of 4/11/01). It is available
from http://netgroup-serv.polito.it/winpcap/
6.15 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Snort is not logging to my database
A1: You did not set up the database plugin in your configuration file.
A2: You are using an older database schema, and should update it by running the
create scripts from the /contrib directory of the source tarball.
A3: You are using a command line option that overrides what you have in your
configuration file. This is most often -A or -s. NOTE: If you wish to log
to syslog as well, specify so in your configuration file rather then the
command line.
A4: There is a problem with your database configuration itself. Make sure the
user you specify has the correct permissions, or that the database is even
up and running.
6.16 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Portscans are not being logged to my database
A: You need to change the output facility to 'alert' rather then 'log'. The
portscan preprocessor calls output plugins registered as 'alert' plugins
rather then 'log'.
output database: alert, mysql, user=snort dbname=snort host=localhost
6.17 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Snort is not logging to syslog
A1: You are using a command line option that overrides what you have in your
configuration file. This is most often -A.
A2: It may be logging to the wrong place. Make sure syslog is configured
correctly.
6.18 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: I am still getting bombarded with spp_portscan messages even though the IP that I am getting the portscan from is in my $DNS_SERVERs var
A: Try adding /32 netmasks to those addresses:
var DNS_SERVERS [xxx.xx.0.3/32,xxx.xxx.0.2/32]
And make sure the $DNS_SERVERS variable is on the portscan-ignorehosts line:
preprocessor portscan-ignorehosts: $DNS_SERVERS
6.19 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why chrooted snort die when I send it a SIGHUP?
A: It's a known problem with permissions. Workaround, restart snort instead.
But the short answer is this: Due to the way the execv(2) call works, it
"Restarts" snort from scratch. This has the odd side effect of making
HUPS to a chrooted snort become recursive. For example, chroot to /snort.
It now sees /snort as / . Now HUP snort. Snort now expects to have
/snort/snort as /. In other words, you have to re-create your directories
for your jail inside it. 4 HUPS and you will be in
/snort/snort/snort/snort.
6.20 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: My snort crashes, how do I restart it?
A: Try this shell script or daemontools
#!/bin/sh
#snorthup: Snort Restarter and Crash Logger
#(dr at ...3018... with help from kmaxwell at ...1146...)
$conf = "snort.conf"
for $IFACE in fxp0 fxp1
do
if [ -f /var/run/snort_$IFACE.pid ]; then
if ! ps -p `cat /var/run/snort_$IFACE.pid` > /dev/null ; then
/usr/bin/logger -p user.notice snorthup: removing bogus pidfile
/usr/bin/logger -p user.notice snorthup: restarting absentee snort on $IFACE with conf file $i
rm -f /var/run/snort_$IFACE.pid
/usr/local/bin/snort -D -c $conf -i $IFACE
fi;
else
/usr/bin/logger -p user.notice snorthup: restarting snort on $IFACE with conf file $conf
/usr/local/bin/snort -D -c $conf -i $IFACE
fi
done
6.21 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: Why can't snort see one of the 10Mbps or 100Mbps traffic on my autoswitch
hub
Basically it's a function of the design and all autoswitching hubs will
behave in this way. It's the result of just not being able to stuff all
the 100 Mbps traffic into the 10Mbps CSMA/CD. One solution I use to the
problem is these new cheapie four port switches... put all the 10Mbps on
it's own hub/switch/whatever and then route that to the 100Mbps hub I use
for monitoring but put a cheapie switch in between that works as an
adapter basically mediating the 10 up to 100 and vice versa.
The bad thing about hubs that _don't_ have this "feature", is that
in order to support 10bt devices, they throttle the entire hub speed
down to 10bt if there is one or more 10bt only devices hooked up to it.
I have seen this behavior (and did the bandwidth tests to proove it) on
old 3com office connect 10/100 hubs (newer ones do the 2 hubs with a switch
thing.) So, the point of what I am saying is, since these old hubs have
no switching capabilities, and they don't know which port the traffic is
supposed to go to (no switch=no arp table), they have to throttle bandwidth.
None of the hubs and switches have any significant amount of storage
on the ethernet chip sets, and therefore _any_ non-layer-three box that
has 100 -> 10 capability can only handle small amounts of traffic before
the chip set drops incoming packets on the floor. Guess one might call
that throttled bandwidth, but at the expense of retransmission timeouts
and retransmissions at the end nodes.
If the box has a backplane, multiple cards and some network management
functions, there is a higher _probability_ the manufacturer has some
additional buffering going on to keep dropped packets from happening
on at least small bursts of traffic.
In the most generic of terms, if a box supports 100 "full-duplex", then
its a switch (regardless of what the manufacturer calls it). If it
supports 100 -> 10, there is 50-50 chance the box has some MAC address
awareness. If a box only supports 10 -> 10 or 100 -> 100, there is a
high probability it is not MAC address aware and therefor functions
like a hub.
Many hubs have different back planes, ie one for 10 one for 100.
From a definition standpoint, a hub segment whether it be 10 or 100 is
a single broadcast/collision domain. You will not see ANY traffic
between segements without a bridge or layer3 route function between
them.
In a switched environment, typically each port is a separate collision
domain but one big broadcast domain. VLANs can be created in some to
separate into separate broadcast domains and some have built in layer
3 functionality which basically connects a router into the backplane
so that it can route between vlans at wire speed.
Think of a switch as a bridge with many ports. (that's what it is).
Some switches support port mirroring or span ports. When you want to
"sniff" frames in a switched environment (beyond just
broadcast/multicast traffic) you need to be able to "see" the unicast
traffic (telnet,http for example). You set up a port to mirror
traffic from the ports that have the devices your interested in to the
port you have your analysis device plugged into. Without doing so,
you don't see the unicast conversations because the traffic is getting
"switched" accross the backplane so pc on port 1 talks to server on
port 2 and no other ports get this traffic. If server on port 2
broadcasts or multicasts, the information is flooded out all ports.
(multicast can be controlled on some switches so only those ports that
have listening stations get the traffic. Not all switches have these
capabilities.
An excellent book on the topic is Interconnections by Radia Perlman.
(Bridges and Routers).
Additional caveat: if you deal with full duplex on a switched port,
only a tap would save you - users have succesfully used Shomiti's
ones on 100MB FD ports, and used two Snort instances, capturing
traffic on both directions. Port mirroring didn't work in that case ...
--faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
--END OF FAQ v1.8.1--